On Thu, 2009-08-06 at 20:45 +0100, Arthur Dent wrote: > Hello all, > > I tried today to install the latest hplip package from > http://hplipopensource.com to use the printer driver for my HP Printer > on my Fedora 9 system (I plan to upgrade to Fedora 11 in the next few > weeks). The install package warns you to turn off selinux so I > setenforce 0. I assumed that I would be able to write a policy before > resuming enforcing mode. > > The install went fine with no avcs. I then tried to print a test page > and got 3 avcs (I can post in full if required). Yes, please do. And file a bug against policycoreutils - this looks like a bug in audit2allow/sepolgen (wrongly merging audit rules with different keys). > > SELinux is preventing hp (hplip_t) "name_bind" howl_port_t. > SELinux is preventing hp (hplip_t) "search" to ./dbus > (system_dbusd_var_run_t). > SELinux is preventing hpcups (cupsd_t) "name_bind" howl_port_t. > > From these I tried to create a policy using audit2allow. This is what it > proposed: > > ########################################## > # cat myhplip.te > policy_module(myhplip, 9.0.1) > > require { > type cupsd_t; > type hplip_t; > type system_dbusd_t; > class unix_stream_socket { write connectto search }; > } > > #============= cupsd_t ============== > corenet_udp_bind_howl_port(cupsd_t) > > #============= hplip_t ============== > allow hplip_t system_dbusd_t:unix_stream_socket { write connectto > search }; > corenet_udp_bind_howl_port(hplip_t) > > ########################################## > > "make -f" worked OK on this, but when I tried semodule -i I got the > following error: > > [root@localhost selinux]# semodule -i myhplip.pp > libsepol.permission_copy_callback: Module myhplip depends on permission > search in class unix_stream_socket, not satisfied > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > > Is there any way I can resolve this? > > The only existing bug I can find on hplip is 516078 > (https://bugzilla.redhat.com/show_bug.cgi?id=516078) is it related? > > > Thanks in advance for any help or suggestions... > > Mark > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
